It’s just a question:
I’m a geocacher from Germany.
The geocachers like it to hide the coordinates of their cache sometimes in very strange locations. 
Is there a way to provide one cert with an additional information like a coordinate?
Coordinates are noticed in a way like N51° 10.444 E7°10.444.
Best regards,
Ingo
1 Like
Unless you could disguise that coordinates into a domain/subdomain name, not.
Many other – paid – CAs may give you more room to work with.
Some will include your email address in the certificate, so if you can get n-51-10-444-e-7-10-444@example.com or whatever, that could work.
Additionally, OV and EV certificates can include an Organizational Unit field, intended for something like a corporate department. If you can get such a certificate, and the CA doesn’t much restrict what you put in the OU field, that could work.
However, the browsers have been cracking down on CAs putting nonsense in certificates. Especially syntactically strange, unvalidated nonsense. It may be more difficult, or impossible, to get a certificate like that now.
Edit:
If you’re willing to be more subtle, you can create an (untrusted) self-signed certificate containing whatever you want. Then you could hook it up to your website somehow. For example, you could configure your web server to make it the default certificate, relying on SNI for your real websites’ certificates. Or you could include a link or image on your web page from a special subdomain. It wouldn’t load, but if users examined the certificate on the error page…
2 Likes
Okay, thanks for the idea with the email address
Do you know which provider could give me the possiblity to
assign an email address to the cert?
The selfsigned cert would be discovered in minuts belive me
One of my hardest riddle is that I send a secretcode along with a jpg.
You can only find the code with firebug.
Even I hide a secretcode in my domainname in the whois record of the DENIC
A secretcode like “Shzt66rf” hidden in the cert qould be great
Or a blatant
N_51_10p444_E_7_10p444.GeoLocation.your.domain
entry could be included in the cert SAN
But the name would have to pass regular validation checks.
As I like puzzle stuff and often participate in puzzle events, the idea of something like this appeals to me a lot. (In fact, I would be tempted to use a mechanism like this in a puzzle myself if it were available.) However, the industry rules which other people in this thread have alluded to indicate that a certificate authority is responsible for being able to validate the correctness of all of the information included in a certificate. This is even so if the information does not directly affect a relying party’s or user agent’s willingness to accept the certificate, because in principle a user may examine the certificate and choose to believe its contents (or any new software may choose to use the information in the certificate and assert to the user that it’s true).
A theoretically appropriate method to add arbitrary data to a certificate is an X.509 extension with appropriate semantics that makes the information “correct” from the CA’s point of view. An example could be the Netscape Comment extension, which allows for adding a comment to the certificate (in which case the certificate authority only has to validate that the comment is really a comment—although in practice presumably that it doesn’t include any misleading natural-language text describing properties of the certificate subject or purposes for which the certificate can be used).
But it’s pretty expensive for CAs to make changes to their processes like this, because it would really require manual intervention on the CA’s part to issue a certificate with a custom extension. Unfortunately, that’s the exact opposite of the principle on which Let’s Encrypt operates (which is that everything must be completely operated to make certificates have as little cost as possible). Perhaps another CA would be willing to do it. Another concern is that CAs might feel that it’s indecorous to participate in puzzles or games that represent data inside a certificate because it’s not the intended purpose of the certification service, and perhaps could be viewed by RPs or UAs as showing a lack of seriousness (although I think one could also argue that it shows a degree of expertise about the appropriate way to represent things in X.509…).
The other suggestion here to represent the data in a hostname feels plausible to me, including via base32 encoding or even ASCII art or something. For example, following a Usenet newsgroup naming prank from the 1990s
http://www.faqs.org/faqs/alt-newsgroups/part1/ (search for alt.att.a and notice the ASCII art in the newsgroup names)
you could have a number of subject alternative names which, when displayed in a tabular text file, spell things out as ASCII art somehow. This is actually probably achievable within existing Let’s Encrypt limits, and, if you actually prove control over those names, should comply with everyone’s policy obligations.
1 Like
So the “playing field” limit becomes:
one 63 char FQDN
ninety nine 255 char FQDNs
Let the games begin!
NOTE/DISCLAIMER:
Some restrictions apply (consecutive chars limits)
Mileage may vary (TLD and base domain size will reduce your playing field)
Objects shown are purely representational and do not depict actual product
Must be eighteen years or bored to order.
No one can be held responsible for any time wasted while undergoing nor reading about this ungame.
Do not operate heavy machinery (while under the influence of random chars in your certs).
Some assembly, or Perl Script, may be required… See store for details… (coming soon - not)
Not available in all senses - switching to humor mode…
FYI: Your secret code is no longer a secret!
You've been BINGed: "Shzt66rf" - Search
LOL
Perhaps you could use something like https://map.what3words.com/ - put the 3 words as subdomains in your SAN so you get a single certificate that’s valid for, say, example.com and swear.native.slot.example.com and folks can go to https://map.what3words.com/swear.native.slot to find your cache.
The only thing is I’m not sure if it’s possible to control which name is used as the CN for the certificate, as some browsers may display that name more prominently.
1 Like
It choses alphabetically (I am told).
My submission to the game - for your indulgences:
hiddenfigures.certbot.win SAN scribblings
And just one more thing:
insecurity finds directions
1 Like
That’s terrific, @rg305! Nice job.
Thx
Have you found the coordinates?
And I thought I’m crazy
Absolut great.
Great idea.
I think that some cachers will hate me next time
Okay , most cachers
Best regards,
Ingo
Have you found the coordinates?
One last thing:
X marks the spot (everyone knows that)
“The odds of hitting your target go up dramatically when you aim at it.”
-Mal Pancoast
In case anyone is wondering about the reference "AT&T YOU WILL", it was inspired by this series of television ads from the United States in 1993:
https://www.youtube.com/results?search_query=at%26t+you+will+ads
The ads all asked "Have you ever ______? You will." Each ad referred to one or more futuristic activities involving advanced communications technologies, video conferencing, e-commerce, telemedicine, etc. I found these ads very effective, and as one YouTuber points out there, they were in many cases extremely accurate about predicting the future.
No, I haven't found them so far.
If anyone can find it - I think you can.
It doesn’t seem that difficult; but I’m tainted by the knowledge of the trick.
So the magic is in the illusion of hiding yourself while standing in plain sight.
Google probably found the coordinates by now, it always looks at everything.
But I wouldn’t look for it there:
Hidden Figures is a movie title.
Certbot - we all know how much info there is on that
and WIN - that’s generally short for windows
So too much of a target there…
Okay, I think that there is enough space in the SAN for a inverted QR-Code
What do you think?
Yes, quite easily
There are numeric and alphanumeric only options for QR-coding.
Unfortunately the alphanumeric option seems to only recognize uppercase letters and certs seems to force all to lowercase.
So, not to add unnecessary complexity, that still leaves the numeric only option.
Which would play rather well in the SAN, as it would ignore all letters and only focus on the numbers.
And they can be sandwiched between letters or just off to the left of the domain name (in plain sight).
…who doesn’t like playing in the SAN…
http://www.thonky.com/qr-code-tutorial/numeric-mode-encoding
You would have to create a standard (if one is not already out there) to incorporate the non-numeric entries in coordinates (north, south, east, west, longitude, latitude, etc.) as more numbers and maybe set specific lengths on each field (recall numeric doesn’t include punctuations - only zero though nine).
…fixed field lengths… RPG, FORTRAN, AH!!!